HSTS header max-age for testing

yb78 · January 12, 2022, 5:20pm

The minimal duration of HSTS header is 1 month. This is a very long duration and might be risky.
Please add HSTS max-age of 10 minutes for testing purposes or allow to set max-age for any number.
https://community.cloudflare.com/t/worried-about-enabling-hsts-for-1-month/264310

michael · January 12, 2022, 5:23pm

You can use a Transform Rule to set the HSTS header to any value you like. Use the “HTTP Response Header Modification” type like this:

yb78 · January 12, 2022, 6:03pm

Thanks, still less complex is just to add 10min select option, so I don’t have to change it from 1 month.
I am sure many people are afraid to use HTST header even with transform rule.

fritex · January 12, 2022, 7:11pm

I saw even a year, while I prefer to sue 6 months.

If all secured and is working over HTTPS, including redirection from HTTP to HTTPS, there is no need to be worried. It’s 2022 already, SSL certificates can be generated each month or each year, Web browsers are even pushing HTTPS-only

sdayman · January 12, 2022, 7:23pm

I think the only reason someone would a low setting for testing is because they might not be sure they’re fully compliant.

fritex · January 12, 2022, 7:30pm

This just reminded me on one website from yesterday … If I may share my experience what I saw:

I discovered domain used Flexible SSL, but despite of that, it was configured even on a origin to redirect all from HTTP to HTTPS and I saw the HTTP header for HSTS set on 6 months + Cloudflare had the same value and “all checkboxes were checked” for HSTS under the SSL/TLS → Edge certificates.

Nevertheless, the owner enabled Always use HTTPS, Automatic HTTPP Rerrites, and there was no SSL certificate at the origin.

I was like, how this is all still working?

Total mess, and in databse - WordPress of course - when I went to run “search and replace”, over 43k links pointed to HTTP URLs were changed.

But, somehow it all worked using a plugin Really Simple SSL

I am afraid neither this website, owner, and origin wasn’t compliant for this, but hey, someone was also testing it, and haven’t even turned off or wasn’t aware of leaving it like that?

I wonder what things will I see next in my life

yb78 · January 13, 2022, 6:24am

Most simple way is to add max-age=1min/1hour/1day/1week to allow gradual increase in max-age and see that there are no problems.

yb78 · January 13, 2022, 10:59am

Does _headers file apply to HSTS too?

sdayman · January 13, 2022, 2:01pm

Did you give it a try? I’d prefer the Transform Rule, as it won’t be affected by what you do at Github.

yb78 · January 13, 2022, 2:37pm

I didn’t try it.

Topic		Replies	Views
Worried about enabling HSTS for 1 month Security	15	5529	April 27, 2021
Disable HSTS where I dont want to wait the max age Security dash-ssl-tls , dash-getting-started	32	5089	July 17, 2019
HSTS test and configuration for only one site (one subdomain) Security	7	2998	October 2, 2021
HSTS and HTTPS Issues Security ssl , https , dash-ssl-tls	3	2952	June 4, 2018
HSTS Max Age Changing Security	8	4464	June 2, 2021

HSTS header max-age for testing

Related topics